GHSA-6xh8-8pfv-53vx – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=6.2.0 <6.2.20 || >=7.6.0 <7.6.5 || >=8.0.0 <8.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Authentication Bypass in TYPO3 CMS The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.

Metadata

Created: 2024-06-05T14:17:20Z
Modified: 2024-06-05T14:17:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-6xh8-8pfv-53vx/GHSA-6xh8-8pfv-53vx.json
CWE IDs: ["CWE-287"]
Alternative ID: N/A
Finding: F006
Auto approve: 1